-
|
Hi @ch4mpy Is it possible to have the same endpoint accessed via different authentication mechanism. Like i can prefix /api/ for all of the Third party Related API's inorder to distinguish the endpoint from the authentication perspective for the gateway. Any pointers to address the above scenario will be really helpful. Thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
That's exactly what I'd recommend: define two sets of routes with a different prefix and only one with the Note that for best efficiency, routes without the <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-addons-starter-oidc</artifactId>
</dependency>With spring:
security:
oauth2:
client:
provider:
sso:
issuer-uri: ${oauth2-issuer}
registration:
bff:
provider: sso
client-id: ${oauth2-client-id}
client-secret: ${oauth2-client-secret}
authorization-grant-type: authorization_code
scope: openid, profile, email, offline_access
cloud:
gateway:
server:
webmvc:
routes:
- id: bff
uri: ${api-internal-uri}
predicates:
- Path=/bff/**
filters:
- TokenRelay=
- id: direct-access
uri: ${api-internal-uri}
predicates:
- Path=/resources/**
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: ${oauth2-issuer}
authorities:
- path: $.resource_access.${oauth2-client-id}.roles
client:
pkce-forced: true
post-logout-redirect-host: ${reverse-proxy-uri}
post-logout-redirect-path: /ui/
security-matchers:
- /login/**
- /oauth2/**
- /logout/**
- /bff/**
permit-all:
- /login/**
- /oauth2/**
- /logout/connect/back-channel/${oauth2-client-id}
- /bff/**
csrf: cookie-accessible-from-js
oauth2-redirections:
authentication-entry-point: UNAUTHORIZED
pre-authorization-code: OK
rp-initiated-logout: ACCEPTED
back-channel-logout:
enabled: true
internal-logout-uri: ${gateway-public-uri}/logout/connect/back-channel/${oauth2-client-id}
# OAuth2 resource server configuration
resourceserver:
permit-all:
- /resources/**
- /login-options
- /ui/**
- /v3/api-docs/**
- /actuator/health/readiness
- /actuator/health/liveness
- /.well-known/**The above processes the requests with a path starting with disabled-security:
- /resources(/.*)?
- /login-options
- /ui(/.*)?
- /v3/api-docs(/.*)?
- /actuator/health/readiness
- /actuator/health/liveness
- /.well-known(/.*)?@Configuration
static class SecurityConf {
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
SecurityFilterChain disabledSecurityFilterChain(HttpSecurity http,
ServerProperties serverProperties,
@Value("${disabled-security}") List<String> disabledSecurity) throws Exception {
final var matcherBuilder = PathPatternRequestMatcher.withDefaults();
Optional.ofNullable(serverProperties.getServlet().getContextPath()).ifPresent(matcherBuilder::basePath);
final var securityMatcher = new OrRequestMatcher(disabledSecurity.stream()
.map(path -> matcherBuilder.matcher(path)).map(RequestMatcher.class::cast).toList());
return http.securityMatcher(securityMatcher)
.authorizeHttpRequests(requests -> requests.anyRequest().permitAll())
.sessionManagement(
sessions -> sessions.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.csrf(AbstractHttpConfigurer::disable).build();
}
} |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @ch4mpy for the clarification. |
Beta Was this translation helpful? Give feedback.
That's exactly what I'd recommend: define two sets of routes with a different prefix and only one with the
TokenRelay=filter.Note that for best efficiency, routes without the
TokenRelay=filter should be processed with a stateless security filter chain, or without security at all (the tokens are checked by the downstream resource servers).